incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gavin McDonald" <ga...@16degrees.com.au>
Subject RE: Population of ooo-security
Date Fri, 29 Jul 2011 01:52:35 GMT


> -----Original Message-----
> From: Rob Weir [mailto:apache@robweir.com]
> Sent: Friday, 29 July 2011 11:25 AM
> To: ooo-dev@incubator.apache.org
> Subject: Re: Population of ooo-security
> 

<snip>

> 
> That raises some questions:
> 
> A) How does one engage with the Apache Security team for "help and advice
> to Apache projects on security issues" if any mail that "does not relate to an
> undisclosed security problem in an Apache product will be ignored".  Is there
> another list we should be asking process-related questions?

there is the security@apache.org list. However, all our project security mailing
lists are linked with that list automatically - any email sent to ooo-security list
for instance will also send a copy to the main apache security team list.

> 
> B) Why is is the significance of their statement, "All members of the Security
> Team are also members of the Apache Software Foundation".
> That means that they can vote for members of the Apache Board, right?
> Why is that significant for the security?

It means only members of the foundation may be a member of the main
Apache security team. This is for several reasons, one of which is simply
that only members of the foundation can have access to other projects private
mailing lists, a pretty important need for any security team member as
all project security lists are private.


Gav...

> 
> 
> [1] http://www.apache.org/security/
> 
> 
> > It is interesting to see the type of information about each CVE and the fixes
> on three different Tomcat versions.
> >
> > Regards,
> > Dave


Mime
View raw message